Overview
Instance HA operates with elevated compute privileges — it can initiate instance evacuations, modify host states, and access IPMI credentials stored in the database. Proper security configuration limits the blast radius of a compromised service account, prevents unauthorized recovery triggers, and protects sensitive infrastructure credentials.RBAC Policy Enforcement
Instance HA enforces role-based access control via the Oslo policy engine. Default roles:| Role | Permissions |
|---|---|
admin | Full access — create/modify/delete segments, approve and trigger recovery |
member | Read access to notifications and segment listings |
reader | Read-only access to all Instance HA resources |
Review Default Policies
List effective policies
Restrict Segment Management
To restrict segment creation and deletion to cloud administrators only, verify the default policy rules are not overridden in your deployment:Check policy overrides
admin role.
Service Account Credentials
Instance HA authenticates to Xloud Identity and the Compute API using a dedicatedmasakari service account. Manage these credentials securely.
Rotate service account password
Rotate service account password
Minimum required roles for service account
Minimum required roles for service account
The
Do not grant broader roles than required. The
masakari service account requires the following minimum roles:| Service | Role | Purpose |
|---|---|---|
| Xloud Compute | admin | Initiate evacuations, query host state |
| Xloud Identity | service | Authenticate API tokens |
admin role on Compute is necessary
for evacuation operations and cannot be reduced.IPMI Credential Security
IPMI credentials are stored in the Instance HA database within thehosts.control_attributes
column. These credentials grant physical access to compute hardware.
Database access restriction
Database access restriction
Limit database access to the Instance HA service account only:Verify no other service accounts have access to the
Grant minimum database privileges
masakari database.Disable debug logging in production
Disable debug logging in production
Debug logging may write
control_attributes contents (including IPMI passwords)
to log files. Ensure debug logging is disabled:/etc/xavs/instance-ha/instance-ha.conf
Verify debug is disabled
Key Management integration (advanced)
Key Management integration (advanced)
For the highest security posture, manage IPMI credentials using Xloud Key Management
(Barbican) and inject them into Instance HA via a custom notification driver that
fetches credentials at runtime rather than storing them in the database.This requires a custom
control_attributes resolver plugin — consult the
Instance HA architecture page
for the plugin interface documentation.Network Access Controls
IPMI Network Isolation
Place IPMI management interfaces on a dedicated management VLAN. Only the Instance
HA controller should have network access to IPMI interfaces (UDP port 623).
API Endpoint Protection
The Instance HA API (port 15868) should only be accessible from trusted management
networks. Do not expose it to project tenant networks.
Audit Logging
All Instance HA operations are logged with the requesting user’s token identity. Retain API access logs for at least 90 days to support incident investigations.Check API access logs
Review recent notification events
Next Steps
Engine Configuration
Tune recovery parameters including debug logging settings.
Troubleshooting
Diagnose authentication failures and policy enforcement issues.
Architecture
Review the full Instance HA deployment topology and trust boundaries.
Notification Drivers
Secure the webhook notification endpoint with appropriate authentication.